[cryptography] OT: THE GREAT SIM HEIST

rysiek rysiek at hackerspace.pl
Sun Feb 22 05:10:08 PST 2015 

Dnia czwartek, 19 lutego 2015 16:47:25 grarpamp pisze:
> On Thu, Feb 19, 2015 at 3:50 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> >  https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

In case anybody missed it:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In order for the cards to work and for the phones’ communications to be 
secure, Gemalto also needs to provide the mobile company with a file 
containing the encryption keys for each of the new SIM cards. These master key 
files could be shipped via FedEx, DHL, UPS or another snail mail provider. 
More commonly, they could be sent via email or through File Transfer Protocol, 
FTP, a method of sending files over the Internet.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Wait, does that mean master keys were being sent in cleartext via open 
Internet?

Yes. Yes it does.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The document noted that many SIM card manufacturers transferred the encryption 
keys to wireless network providers “by email or FTP with simple encryption 
methods that can be broken … or occasionally with no encryption at all.” To 
get bulk access to encryption keys, all the NSA or GCHQ needed to do was 
intercept emails or file transfers as they were sent over the Internet — 
something both agencies already do millions of times per day. A footnote in 
the 2010 document observed that the use of “strong encryption products … is 
becoming increasingly common” in transferring the keys.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150222/3d2aad9d/attachment-0002.sig>

More information about the cypherpunks mailing list